Data Processing Addendum (“DPA”)

Yardi customers may subscribe to notifications of DPA changes by filling out this form.

If you have already subscribed and would like to unsubscribe, please use this form.

Effective Date: March 6, 2023

Where Yardi Systems, Inc. and/or its affiliates (“Yardi” and “Data Processor”) processes Personal Data on behalf of Client (“You,” “Client,” and “Data Controller”), the current version of this DPA applies to you as part of your underlying property management software license with Yardi (the “Agreement”). This DPA is effective on the Effective Date and amends, supersedes and replaces any prior data processing agreements that the Parties may have entered into.

HEREBY AGREE AS FOLLOWS:

1.     Definitions

1.1   “Business Purposes” means accessing the Yardi Cloud to use the Licensed Programs and Yardi Cloud Services for Client’s property management and accounting, and related business purposes.

1.2   “Consumer” and “Data Subject” shall have the meaning ascribed to them in applicable Data Protection Law. 

1.3   “Data Controller” has the meaning ascribed to the terms “business” or “controller” under applicable Data Protection Law, and will, at a minimum, mean the company that determines the purposes and means of the processing of Personal Data.

1.4   “Data Processor” has the meaning ascribed to the terms “processor” and “service provider” under applicable Data Protection Law, and will, at a minimum mean the company which processes Personal Data on behalf of the Data Controller.

1.5   “Data Protection Law” means all data protection or privacy laws applicable anywhere in the world to the Processing of Personal Data under the Agreement, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”), the EU and UK General Data Protection Regulation 2016/679 (“GDPR”), and the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

1.6   “Designated User” or “DU” has the meaning ascribed in the Agreement, or if not defined, shall mean a Client employee or Contractor designated by Client to access the Yardi Cloud and Use the Yardi Cloud Services and Licensed Programs for Business Purposes.

1.7   “Licensed Programs” or “Software” means the software program(s) identified in the Agreement.

1.8   “Personal Data” means “personal data” or “personal information” as defined under applicable Data Protection Law that Yardi is processing pursuant to the Agreement.

1.9   “Process” or “Processing” has the meaning ascribed to the term(s) under applicable Data Protection Law.

1.10 “Services” shall mean any services performed by Yardi for Client pursuant to the Agreement, including but not limited to Data Controller’s access to and use of Data Processor’s proprietary hosted technology.

1.11 “Standard Contractual Clauses” or “SCC” means (i) the SCC annexed to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCC”) for the transfer of Personal Data from the EEA to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council with respect to transfers subject to the EU GDPR; (ii) the International Data Transfer Addendum [Version B1.0, issued by the Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022] (“UK SCC”), which is appended to the EU SCC with respect to transfers subject to the UK GDPR; or any other SCC issued by the EU Commission or UK ICO which replace such clauses from time to time.

1.12 “Yardi Cloud” has the meaning ascribed in the Agreement, or if not defined, shall mean the hardware, software, storage, firewalls, intrusion detection devices, load balancing units, switches and other hardware that make up the Yardi Cloud.

1.13 All other capitalized terms shall have the meaning ascribed to them in the Agreement.

2.     Subject matter of this DPA

2.1   This DPA applies exclusively to the Services and Processing of Personal Data that is subject to applicable Data Protection Law in the scope of the Agreement. The Agreement and this DPA shall form the “documented instructions” of the Data Controller, as used and further described in this DPA, in relation to the Processing of Personal Data in accordance with applicable Data Protection Law.  The nature and purpose of the processing, an overview of the types of Personal Data, and the categories of Data Subjects is set forth in the Agreement. 

3.     The Data Controller and the Data Processor

3.1   As between the Parties, the Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Data Processor. The Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions. 

3.2   The Data Processor will only process the Personal Data on documented instructions of the Data Controller in such manner as, and to the extent that, it is appropriate for the provision of the Services, except as required to comply with a legal obligation to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller. The Data Processor shall not process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes applicable Data Protection Law.

3.3   The Parties have entered into the Agreement in order for the Services to benefit Data Controller’s Business Purposes. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to provide the Services, subject to the requirements of this DPA.

4.     Data Subjects

4.1   To the extent required by applicable Data Protection Law, Data Controller is responsible for ensuring that there is a legal basis for the Processing in relation to the Services and that it has and will provide all notices required by applicable Data Protection Law, and for ensuring that a record of such legal basis and/or notices is maintained. Should a Data Subject or Consumer make any lawful request under applicable Data Protection Law, Data Controller is solely responsible, as between the Parties, for deleting such Personal Data from the database(s) associated with Data Controller’s instance of the Licensed Programs or otherwise responding to and meeting any such Data Subject or Consumer request. Data Processor shall promptly refer to Data Controller any request from Data Subjects or Consumers to exercise any applicable data protection rights (including rights of access, rectification, erasure, objection, restriction, portability, and the right to opt-out) under applicable Data Protection Law. The Licensed Programs provide Data Controller with functionality for Data Controller Designated Users to meet Data Controller’s obligations to respond to and meet such requests from Data Subjects or Consumers. Data Processor will provide reasonable assistance to Data Controller in responding to and meeting requests from Data Subjects or Consumers, pursuant to the terms and conditions of Data Processor’s standard support services under the Agreement.

5.     Confidentiality

5.1   Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data by Data Processor of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality. The Data Controller is responsible for ensuring that its Designated Users have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.     Security

6.1   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. Data Controller is responsible for reviewing the information Data Processor makes available regarding its data security, including its audit reports and compliance documents referenced in Section 6.3 below, and making an independent determination as to whether the Services meet Data Controller’s requirements and legal obligations, including its obligations under applicable Data Protection Law. Data Controller acknowledges that the Services include certain features and functionalities that Data Controller may elect to use that impact the security of the data Processed by Data Controller’s use of the Services, including but not limited to encryption at rest functionality. Data Controller is further responsible for its Designated Users’ access to Personal Data and for using the available features and functionalities to maintain appropriate security in light of the nature of the data processed by its use of the Services.

6.2   The Data Processor has and shall at all times maintain an appropriate information security policy with respect to the processing of Personal Data that, as appropriate, includes measures described in Section 6.1. As described in Section 6.3 below, Data Processor shall provide information to Data Controller about its information security program. The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements, but will not in any circumstance materially diminish its security measures. The Data Processor will therefore evaluate its information security program on an on-going basis and in its sole discretion will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Section 6. 

6.3   At the request of the Data Controller, the Data Processor shall make available to Data Controller, Data Controller’s auditors and/or any supervisory or government body all information necessary to demonstrate Data Processor’s compliance with this Section 6 and allow for and contribute to audits, including inspections.  In furtherance of the foregoing, the Data Processor shall conduct the audits described below and provide the Data Controller and/or the Data Controller´s auditors the following information relating to the Processing of the Personal Data:

(a)   SSAE18 Audits.  During the Term, and so long as SSAE18 remains a current and industry standard auditing standard, Data Processor agrees to at least annually undertake an audit in accord with the American Institute of Certified Public Accountants’  Statement on Standards for Attestation Engagements No. 18 or a successor standard (collectively, “SSAE18”) with respect to the Yardi Cloud Service.  Upon Data Controller’s request, and no more than annually, Data Processor will provide a copy of its then-current SSAE18 audit report for Data Controller’s review.

(b)   Shared Assessments Program.  As of the Effective Date, Data Processor subscribes to the Shared Assessments Program methodology, which is rooted in industry standards and common compliances, including the Standardized Information Gathering (SIG) questionnaire. The SIG is a comprehensive standardized format questionnaire, created and revised annually by financial industry leaders, aimed at efficiently fulfilling vendor due diligence and risk assessment. So long as Data Processor continues to subscribe to the Shared Assessments Program and completes a SIG questionnaire on an annual basis, upon Data Controller’s request, and no more than annually, Data Processor agrees to provide a copy of its then-current completed SIG questionnaire for Data Controller’s review.

(c)   Penetration Testing.  Data Processor will conduct annual penetration tests upon the Yardi Cloud.  The testing and remediation validation will be performed by an independent third party and evidenced by a separate independent third party in Data Processor’s then current SSAE18 audit report. 

(d)   Data Controller agrees that the Data Processor SSAE18 audit report, SIG questionnaire, and information about penetration tests on the Yardi Cloud are Confidential Information as defined the Agreement and subject to Data Controller’s confidentiality obligations as provided in the Agreement.

The Data Controller shall be entitled on giving at least 30 days’ notice to the Data Processor (unless requested on shorter notice by a supervisory authority), and no more than one time in any calendar year (unless required by a supervisory authority), to carry out, or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, an audit or inspection of Data Processor subject to Data Processor’s security policies and procedures. The Data Processor shall reasonably cooperate with such audits requested and carried out by or on behalf of the Data Controller, including by making the information and documents described above in this Section 6.3 available for inspection. Any such onsite audit must be conducted during regular business hours of Data Processor. Any requested onsite audit of more than 4 hours may be subject to additional or applicable fees under the Agreement. 

With regard to Section 6.3, where an instruction or request from the Data Controller or Data Controller’s auditors to the Data Processor for the Data Processor to provide information to the Data Controller or Data Controller’s auditors would, in the opinion of the Data Processor, infringe Data Protection Law or other applicable laws to which the Data Controller or the Data Processor are subject, the Data Processor shall immediately inform the Data Controller.

7.     Data Transfers

7.1   This paragraph 7 applies only to the extent the processing of Personal Data under the Agreement is subject to GDPR.

7.2   The Data Controller hereby provides Data Processor with general authorization to transfer any Personal Data from the European Union to any country or territory outside the European Economic Area (EEA), United Kingdom (UK), or Switzerland provided that it takes such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Law. Such measures may include (without limitation) transferring Personal Data: (i) to a recipient in a country or territory has been declared to provide an adequate level of protection for Personal Data by the European Commission or the UK ICO or the Switzerland Federal Data Protection and Information Commissioner (FDPIC), as applicable; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed Standard Contractual Clauses. The Parties recognize that certain standard Data Processor support services may involve, or be deemed to constitute, a transfer of Personal Data outside the EEA, UK, or Switzerland, as applicable, and therefore the parties agree that the terms of the SCC attached hereto as Appendix 2 shall apply. The Data Controller and Data Processor rely on the EU SCC in Appendix 2 to the extent any transfer of Personal Data is subject to the EU GDPR. The Data Controller and Data Processor rely on the EU SCC in Appendix 2 (subject to the application of appropriate interpretative provisions), including the UK SCC in Annex IV of Appendix 2 to the extent any transfer of data is subject to the UK GDPR. To the extent reliance on the EU SCC or UK SCC is not deemed valid, the Parties seek to rely on the fallback position of the Switzerland SCC. The information set forth in Annex I and Annex II of Appendix 2 constitutes the information required to be included in the schedules and appendices to the UK or Swiss SCC. Each party’s signature to the Agreement shall be considered a signature to the SCC to the extent that the SCC apply hereunder.   

7.3   To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

8.     Information Obligations and Incident Management

8.1   When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Agreement, it shall, as required by applicable Data Protection Law, notify the Data Controller about the incident without undue delay, at all times cooperate with the Data Controller, and follow the Data Controller’s reasonable instructions (within the scope of the Agreement) with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.

8.2   The term “incident,” as used in this section shall have the meaning ascribed to it (or the equivalent term) in applicable Data Protection Law.

8.3   The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident.

8.4   Any notifications made to the Data Controller pursuant to this Section 8 shall be addressed to the SPOC of the Data Controller whose contact details are on file, and as the information becomes available, shall contain:

(a)   a description of the nature of the incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b)   the name and contact details of the Data Processor’s data protection officer (specified in Appendix 1) or another contact point where more information can be obtained;

(c)   a description of the likely consequences of the incident; and

(d)   a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

9.     Contracting with Sub-Processors

9.1   Data Controller agrees that Data Processor may engage Data Processor affiliates and other Data Processors as defined by applicable Data Protection Law (“Sub-Processors”) to process Personal Data on behalf of Data Controller. Data Processor shall ensure that any Processing of Personal Data by a Sub-Processor is governed by a contract. Additional details regarding the Sub-Processors currently engaged by Data Processor is attached hereto in Annex III (List of Sub-Processors) of Appendix 2 (Standard Contractual Clauses).

10.   Returning and Destruction of Personal Data

10.1 Upon expiration or termination of this DPA and the Agreement, the Data Processor shall make Data Controller’s Client Data available to Data Controller for secure download for a limited time period, following which Data Processor shall delete such Client Data.

11.   Miscellaneous

11.1 In the event of any inconsistency between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

APPENDIX 1:

Contact information of the Data Protection Officer/Compliance Officer of the Data Processor.

Name: Dan Campbell                                                            
Title: Vice President                                                              
Address: 430 South Fairview, Santa Barbara, CA 93117     
Phone:+1 (805) 699-2040                                                     
Email Address: [email protected]                                       

APPENDIX 2 – STANDARD CONTRACTUAL CLAUSES

Client has read, understood, and agrees to be bound by the additional terms and conditions in the Standard Contractual Clauses posted at https://resources.yardi.com/legal/standard-contractual-clauses/, which is hereby incorporated by reference.

The Standard Contractual Clauses will apply in the following manner, as appropriate:

(a) Module Two (Controller to Processor) of the Standard Contractual Clauses will apply where Client is a Data Controller of Personal Data and Yardi is processing Personal Data as a Data Processor.   

(b) Module Three (Processor to Processor) of the Standard Contractual Clauses will apply where Client is a Data Processor of Personal Data and Yardi is processing Personal Data as a Data Processor.   

APPENDIX 3 – CCPA TERMS

For purposes of this Appendix 3, the terms “Commercial Purposes,” “Sell,” “Service Provider” and “Share” shall have the meaning given thereto in the CCPA.

(a)   It is the Parties’ intent that with respect to any Personal Data, Yardi is a Service Provider with respect to its Processing of such Personal Data. Yardi: (a) acknowledges that Personal Data is disclosed by Client for Business Purposes; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Data as is required by the CCPA; (c) shall notify Client in writing of any determination made by Yardi that it can no longer meet its obligations under the CCPA; and (d) agrees that Client has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

(b)   Yardi agrees that Client may conduct audits, in accordance with Section 6.3 of the DPA, to help ensure that Yardi’s use of Personal Data is consistent with Yardi’s obligations under the CCPA.

(c)   Yardi shall not (a) Sell or Share any Personal Data; (b) retain, use or disclose any Personal Data for any Commercial Purposes other than for Business Purposes, or as otherwise permitted by the CCPA, (c) retain, use or disclose the Personal Data outside of the direct business relationship between Yardi and Client, or (d) combine Personal Data received pursuant to the Agreement with Personal Data (i) received from or on behalf of another person, or (ii) or collected from Yardi’s own interaction with any consumer to whom such Personal Data pertains, in either case in violation of CCPA.  Yardi hereby certifies that it understands its obligations under this subsection (c) and will comply with them.

(d)   Yardi’s notice to Client of Sub-Processor engagements in accordance with Section 9 of the DPA shall satisfy Yardi’s obligation under the CCPA to give notice of such engagements.

(e)   The parties acknowledge that Yardi’s retention, use and disclosure of Personal Data authorized by Client’s instructions documented in the Agreement are integral to Yardi’s provision of the Services and the business relationship between the parties.

(f)    If Yardi receives a request directly from an individual, Yardi will notify Client pursuant to Section 4.1 of the DPA.

(g)   Yardi agrees to cooperate in good faith with Client concerning any amendments to this DPA to the extent required by CCPA.